Logical Methods in Computer Science 
Vol. 3 (2:7) 2007, pp. 1-33 
www.lmcs-online.org 



Submitted Oct. 25, 2006 
Published Jun. 29, 2007 



THE COMPLEXITY OF MODEL CHECKING HIGHER-ORDER 

FIXPOINT LOGIC 

ROLAND AXELSSON", MARTIN LANGE\ AND RAFAL SOMLA = 

" Department of Computer Science, University of Munich, Germany 
e-mail address: Roland.Axelsson@ifi.lmu.de 

^ Department of Computer Science, University of Aarhus, Denmark 
e-mail address: Martin.Lange@ifi.lmu.de 

IT Department, Uppsala University, Sweden 
e-mail address: Rafal.Somla@it.uu.se 



Abstract. Higher-Order Fixpoint Logic (HFL) is a hybrid of the simply typed A-calculus 
and the modal /i-calculus. This makes it a highly expressive temporal logic that is capable 
of expressing various interesting correctness properties of programs that are not expressible 
in the modal /^-calculus. 

This paper provides complexity results for its model checking problem. In particular, 
we consider those fragments of HFL that are built by using only types of bounded order k 
and arity m. We establish fc-fold exponential time completeness for model checking each 
such fragment. For the upper bound we use fixpoint elimination to obtain reachability 
games that are singly-exponential in the size of the formula and fc-fold exponential in 
the size of the underlying transition system. These games can be solved in deterministic 
linear time. As a simple consequence, we obtain an exponential time upper bound on the 
expression complexity of each such fragment. 

The lower bound is established by a reduction from the word problem for alternating 
(fc — l)-fold exponential space bounded Turing Machines. Since there are fixed machines of 
that type whose word problems are already hard with respect to fc-fold exponential time, 
we obtain, as a corollary, fc-fold exponential time completeness for the data complexity 
of our fragments of HFL, provided m exceeds 3. This also yields a hierarchy result in 
expressive power. 



1. Introduction 

Temporal logics are well-established tools for the specification of correctness properties 
and their verification in hard- and software design processes. One of the most famous 
temporal logics is Kozen's modal /i-calculus [15] which extends multi-modal logic with 
extremal fixpoint quantifiers. £^ subsumes many other temporal logics like PDL [llj as well 
as CTL* [9j , and with it CTL [8j and LTL [23] . It also has connections to other formalisms 
like description logics for example. 

2000 ACM Subject Classification: F.3.1, F.4.1. 
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is equi-expressive to the bisimulation-invariant fragment of Monadic Second Order 
Logic over trees or graphs [TOllIS]. Hence, properties expressed by formulas of the modal 
/i-calculus are only regular. There are, however, many interesting correctness properties of 
programs that are not regular. Examples include uniform inevitability [7\ which states that 
a certain event occurs globally at the same time in all possible runs of the system; counting 
properties like "at any point in a run of a protocol there have never been more send- than 
receiwe-actions" ; formulas saying that an unbounded number of data does not lose its order 
during a transmission process; or properties making structural assertions about their models 
like being bisimilar to a linear time model. 

When program verification was introduced to computer science, programs as well as 
their correctness properties were mainly specified in temporal logics. Hence, verification 
meant to check formulas of the form {p ^ ^ for validity, or equally formulas of the form 
(p for satisfiability. An intrinsic problem for this approach and non-regular properties 
is undecidability. Note that the intersection problem for context-free languages is already 
undecidable [I]. 

One of the earliest attempts at verifying non-regular properties of programs was Non- 
Regular PDL [12] which enriches ordinary PDL by context-free programs. Non-Regular 
PDL is highly undecidable, hence, the logic did not receive much attention for program 
verification purposes. Its model checking problem, however, remains decidable on finite 
transition systems - it is even in P [16j . 

Another example is Fixpoint Logic with Chop, FLC, [22] which extends with a 
sequential composition operator. It is capable of expressing many non-regular - and even 
non-context-free - properties, and its model checking problem on finite transition systems 
is decidable in deterministic exponential time [21]. It also properly subsumes Non-Regular 
PDL [20]. 

In order to achieve non-regular effects in FLC, the original semantics is lifted to a 
function from sets of states to sets of states. This idea has been followed consequently in the 
introduction of Higher-Order Fixpoint Logic, HFL, [28] which incorporates a simply typed 
A-calculus into the modal /i-calculus. This gives it even more expressive power than FLC. 
HFL is, for example, capable of expressing assume-guarantee-properties. Still, HFL's model 
checking problem on finite transition systems remains decidable. This has been stated in 
its introductory work [28j . It is also known that model checking HFL is non-elementary 
with the following complexity bounds [T9]. 

• When restricted to function types of order k, the model checking problem for this 
fragment is hard for deterministic {k — 3)-fold exponential space and included in 
determinisitic {k -\- l)-fold exponential time. It is not made explicit, though, that 
the arity of types needs to be fixed for that. 

• The model checking problem is non-elementary on fixed (and very small) structures 
already. However, unbounded type orders are needed for this result. 

Our aim is to close this apparent gap and to provide an analysis of the model checking 
problem for HFL and, thus, the problem of automatically verifying non-regular properties 
on finite transition systems. 

We start in Sect. [2] by recalling the logic and giving a few examples of HFL-expressible 
properties. Sect. [3] contains a reduction from HFL's model checking problem to the problem 
of solving (rather large) reachability games. This improves the upper bound mentioned 
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above: these games can be solved in /c-fold exponential time when type orders are bounded 
by k and arities are fixed. 

Sect, m presents a reduction from the word problem for alternating space-bounded 
Turing Machines to HFL's model checking problem. This improves on the lower bounds 
mentioned above in two ways. For the fragment of type orders restricted to k we can 
match the new upper bound and establish completeness for the class of fc-fold deterministic 
exponential time. A slight modification produces formulas that are independent of the input 
word to the Turing Machine. Hence, we get a result on the data complexity of HFL as a 
simple corollary. This, in turn, yields a hierarchy result on expressive power within HFL. 

A non-elementary lower complexity bound on the problem of a logic that incorporates 
the simply typed A-calculus is of course reminiscent of Statman's result which states that 
the normalisation problem in the simply typed A-calculus is non-elementary |25j . But this is 
rather related to the equivalence problem for HFL which is known to be highly undecidable 
[12\ [20l [28] . Since HFL is a branching time logic there is probably no simple reduction from 
the equivalence problem to the model checking problem. Hence, the lower bounds presented 
here do not necessarily follow from Statman's result. 

Furthermore, Statman's result is of course irrelevant for the upper bounds presented 
here. There is some work on upper bounds for the number of /3-reduction steps in the 
simply typed A-calculus, c.f. ^24j. However, this is not good enough to obtain the upper 
bounds we are after, c.f. Sect. El It also does not deal with the propositional, modal and 
fixpoint parts of HFL formulas. 



2.1. The Syntax of Formulas. 

Definition 2.1. Let V = {p,q,...} be a set of atomic propositions, A = {a,b,...} be a 
finite set of action names, and V = {X,Y, . . .} a set of variables. For simplicity, we fix V, 
A, and V for the rest of the paper. 

A V S {— , + , 0} is called a variance. The set of HFL types is the smallest set containing 
the atomic type Pr and being closed under function typing with variances, i.e. if a and r 
are HFL types and u is a variance, then cr^ ^ r is an HFL type. 

Formulas of HFL are given by the following grammar: 



where q & V, X € V, a & A, v is a, variance and r is an HFL type. 

An HFL formula f is called fixpoint-free if it does not contain any subformula of the 
form ^X.ip. 

Throughout this paper we will adopt the convention given by the syntax of HFL and 
write function application in the style / x rather than f{x). 
We use the following standard abbreviations: 



2. Preliminaries 



g I X I -193 \ ip\J ip\ {a)ip I 95 I X{X^ : T).ip \ ^{X : T).ip 




(7 V -1(7 for some q 
(93 ^ V) A (V' ^ v?) 



V9 ^ V 

vX.ip 



ff 



— itt 

-nliX.^^[-nX/X] 
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ve{0,+} 


r |- T 


Thq:Pr 


r,X^: r h X: 


r r 1 'ip: T 


T \- ip: Pr T\- 4): Pr 


r h Pr 


V,X'" : ah ip: T 


Thipyip: Pr 


r h (a)(/j: Pr 


r h A(X^: f7).(/p : {a'' r) 




: £7 


r h (/? : (c7~ — > r) h i/; : 0" 


T \- {ip Ip) : T 




r h (99 -(/;): r 


r h : ((T° ^ r) r h V 


0" h ■0 : cj 


r,X+: T h r 


r h ((^ V) : 


r 


r h ;u(X: r).(^ : r 



Figure 1: Type inference rules for HFL. 



where ip[ilj/X] denotes the formula that results from ip by replacing simultaneously every 
occurrence of X hy ip. 

Definition 2.2. A sequence T of the form : ri, . . . , X^" : where Xi are variables, Tj 
are types and Vi are variances is called a context (we assume all Xi are distinct). An HFL 
formula ip has type r in context F if the statement T \- ip: t can be inferred using the rules 
of Fig. [TJ We say that ip is well-formed if F h 99: r for some F and r. 

For a variance we define its complement v~ as + if = — , as — if v = +, and 
otherwise. For a context F = X^^ : ri, . . . : Tn, the complement F~ is defined as 

Xl^ :n,...,Xl^ :Tn. 

Definition 2.3. The Fischer-Ladner closure of an HFL formula 930 is the least set FL{ipQ) 
that contains ipQ and satisfies the following. 

• If V ^2 G FL{ipo) then {1^1,1^2} ^ FL{ipo). 

• If -(Vi V ^2) G i^i^(</'o) then {-Vi, -^^2} C FL(^o). 

• If {a)ij € FZ(99o) then ip G ^//(v^o). 

• If ^{a)'ip G FL((/?o) then € •P^(</5o)- 

• If (/? V € FL{ipo) then {99, V', -'V'} ^ FL{ipo). 

• If -((/J V) G i^^Cv'o) then {-99, ^ i^i^(95o). 

• If XX.iP G FL((^o) then V € FL{ifo)- 

• If ^(AX.^) G FL{ipo) then G FL{^o). 

• If ^X.V' G FL{ipo) then ^ G FZ(99o)- 

• If ^ifiX.iP) G Fi(v?o) then ^^Pl^X/X] G FL(v?o)- 

• If G FL(99o) then ^ G FL(99o)- 

• If G FL(v?o) then X G FL((^o)- 

• If G FL{ipo) then g G FL{ipo). 

Note that the size of FL[ip) as a set is at most twice the length of ip. We therefore 
define |<^| := \FL{ip)\. Another measure for the complexity of a formula is the number v{ip) 
of distinct A-bound variables occurring in ip. Formally, let v{ip) := \{X | XX.ip G FL{ip) for 
some 



Note that we do not require a-equivalent formulas to have exactly the same computational measures. 
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When using least fixpoint quantifiers it is often beneficial to recall the Bekic principle 
[2] which states that a simultaneously defined least fixpoint of a monotone function is the 
same as a parametrised one. We will use this to allow formulas like 

( Xx . (fi {Xi ,X„ 
ip := fiXi. : 

in the syntax of HFL. This abbreviates 



^n{Xl, . . . , Xn) 



IJ,Xi.Lpi{fiXi.ipi{Xi, ^X2.^p2iXi, X2, ... ,Xi, ...),... ,Xi, . . .),/uX2 . . 



, Xi 



•) 



Note that the size of ip' can be exponentially bigger than the size of 99, and this even 
holds for the number of their subformulas. However, it is only exponential in n, not in \ip\: 
|(^'|= 0(1(^1 -2-). 



2.2. The Semantics of Types and Formulas. 

Definition 2.4. A (labeled) transition system is a structure T = | a € A},L) 

where 5 is a finite non-empty set of states, is a binary relation on states for each a & A, 
and L : 5 ^ 2^ is a function labeling each state with the set of propositional constants 
that are true in it. 

The semantics of a type w.r.t. a transition system T is a Boolean lattic^, inductively 
defined on the type as 

[Prf = (2^, Cp.) , K - rf = {ilafr - [rf , C..^, ) . 

where l^pr is simply the set inclusion order C. For two partial orders f = (r, C^) and 
a = (fj, Qa), ^ — > T denotes the partial order of all monotone functions ordered pointwise. 
I.e., in this case, 

/ Ect"->t 9 iff for all x € {a}'^ '■ f x Qr 9 x 
Moreover, complements in these lattices are denoted by / and defined on higher levels as 
f X = f X. 

A positive variance leaves a partial order unchanged, = (r, Qr), a negative variance 
turns it upside-down to make antitone functions look well-behaved, f~ = (t, □,-), and a 
neutral variance flattens it, f'^ = (r, n □r)- This is not a complete lattice anymore 
which does not matter since variances only occur on the left of a typing arrow. Note that 
the space of monotone functions from a partial order to a Boolean lattice with pointwise 
ordering forms a Boolean lattice again. 

Definition 2.5. An environment tj is a possibly partial map on the variable set V. For 
a context P = X^^ : ri,...,X^" : t„, we say that r/ respects F, denoted hy rj \= T, if 
r/(Xj) G I'Ti}'^ for i G {1, . . . ,n}. We write r][X f] for the environment that maps X to 
/ and otherwise agrees with rj. If 77 |= F and / E [t]'^ then r][X 1— > /] \= T,X : t, where X 
is a variable that does not appear in F. 

^In the original definition, the semantics is only said to be a complete lattice but it is in fact also 
Boolean. The reason for this is that negation is only allowed on the ground type Pr anyway. The game- 
based characterisation of HFL's model checking problem in the following section benefits from a symmetric 
definition w.r.t. negation. Hence, we allow negation in the syntax on arbitrary type levels. But then we 
have to also use the property of being Boolean of the complete lattices that form the basis for the definition 
of the semantics. 
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Prl^ 




Prl^UphV'iPrl^ 




[r h (a)(/. : 


Prl^ 


= {seS 


s t for some t € [F h : Pr 




|r h A(X'' : cj).(/p : cj^ - 




= /gK 

fx = 


^ s.t. Vx G |cj]^ 










a- ^ ir' h : al^ 








= ni^Gi 


[rf |[r,X+:rh^:rl5^_, 





Figure 2: Semantics of HFL 



For any well- typed term T \- ip : t and environment rj \=T, Fig. [2] defines the semantics 
of (f inductively to be an element of {t}'^ . In the clause for function application {ip ip) the 
context r' is r if w G {+, 0}, and is F" if = — . 

The model checking problem for HFL is the following: Given an HFL sentence 93 : Pr, 
a transition system T and one of its states s, decide whether or not s G \'p^ ■ 

In the following we will identify a type r and its underlying complete lattice \t\'^ 
induced by a transition system T with state set S. In order to simplify notation we fix T 
for the remainder of this section. We will also simply write |t| instead of |[t]"^| for the size 
of the lattice induced by r. 

Definition 2.6. We consider fragments of formulas that can be built using restricted types 
only. Note that because of right-associativity of the function arrow, every HFL type is 
isomorphic to a r = ti — > ... — >■ ^ Pr where m G N. Clearly, for m = we simply 
have r = Pr. We stratify types w.r.t. their order, i.e. the degree of using proper functions 
as arguments to other functions, as well as maximal arity, i.e. the number of arguments a 
function has. Order can be seen as depth, and maximal arity as the width of a type. Both 
are defined recursively as follows. 

ord^Ti —t . . . —t Tm ^ Pr) := max{l + ord{Ti) | z = 1, . . . , m} 

mar{Ti —>■...—>■ Tm —> Pr) := max({m} U {mar{Ti) \ i = 1, . . . , m}) 

where we assume max0 = 0. Now let, for A; > 1 and m>l, 

HFL'^'™ := { 1/3 G HFL \ \- ip : Pr using types r with ord{T) < k and mar{T) < m only } 
HFL'^ := U HFL^'™ 

meN 

Note that no formula can have maximal type order A; > but maximal type arity m = 0. 
The combination k = and m > is also impossible. Hence, we define 

HFL'' = { 99 G HFL I h 9? : Pr using types r with ord{T) = only } 
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We extend these measures to formulas in a straightforward way: ord{ip) = k and mar{ip) = 
m iff A; and m are the least k' and m' s.t. ip can be shown to have some type using types r 
with ordij) < k' and marij) < m' only. 

Proposition 2.7. HFL° = 

Proof. An HFL'^ formula cannot have any subformula of the form XX.i/j or tp i/j. But deleting 
these two clauses from the definition of HFL's syntax yields exactly the syntax of C^. It is 
not hard to see that this is faithful, i.e. the semantics of this logic regarded as a fragment 
of HFL is the same as the semantics of □ 



2.3. Examples of Properties Expressible in HFL. 

Example 2.8. HFL can express the non-regular (but context-free) property "on any path 
the number of ouVs seen at any time never exceeds the number of in's seen so far." Let 

(p := ii{X : Pr ^ Pr).{\{Z : Pr).{out)Z V {in){X {X Z)))tt 

This formula is best understood by comparing it to the CFG X out \ inX X. It generates 
the language L of all words w G {in, out}*{out} s.t. \w\in = \w\out and for all prefixes v of 
w we have: I 

^lin ^ l^loMt- This language contains exactly those prefixes of buffer runs that 
are violating due to a buffer underfiow. Then T,s \= (f iS there is a finite path through T 
starting in s that is labeled with a word in L, and -"p consequently describes the property 
mentioned above. 

Example 2.9. Another property that is easily seen not to be expressible by a finite tree 
automaton and, hence, not by a formula of the modal /i-calculus either is bisimilarity to a 
word. Note that a transition system T with starting state s is not bisimilar to a linear word 
model iff there are two distinct actions a and b s.t. there are two (not necessarily distinct) 

states ti and t2 at the same distance from s s.t. ti -^t'^ and t2 -^t'2 for some t'^,t'2. This 
is expressed by the HFL formula 

-(V (/'(^^ : Pr ^ Pr ^ Pr).A(X : Pr).A(y : Pr).(X A F) V (F {-)X {-)Y)) (a)tt (6)tt ) 

This formula is best understood by regarding the least fixpoint definition as a functional 
program. It takes two arguments X and Y and checks whether both hold now or calls itself 
recursively with the arguments being checked in two (possibly different) successors of the 
state that it is evaluated in. 

Note that here, bisimulation does not consider the labels of states but only the actions 
along transitions. It is not hard to change the formula accordingly to incorporate state 
labels as well. 

Example 2.10. Let 2q := n and 2^_|_j^ := 2^"^. For any m G N, there is a short HFL 
formula ipm expressing the fact that there is a maximal path of length 2^ (number of states 
on this path) through a transition system. It can be constructed using a typed version of 
the Church numeral 2. Let tq = Pr and r^+i = — > r^. For i > 1 define ipi of type Tj+i as 
\{F : Ti).\{X : Ti-i).F{FX). Then 

■■= V'm i^m-l • • • V'l (A(X : Pr).(-)X) [-]ff . 
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Note that for any m € N, ifm is of size linear in m. This indicates that HFL is able to 
express computations of Turing Machines of arbitrary elementary complexity. Sect. |3]will 
show that this is indeed the case. 

2.4. Complexity Classes and Alternating Turing Machines. We will assume famil- 
iarity with the concept of a deterministic Turing Machine but quickly recall the less known 
model of an alternating Turing Machine. 

Let DTime(/(n)) be the class of languages that can be recognised by a deterministic 
Turing Machine in at most f{n) many steps on any input of length n. The k-th level of the 
exponential time hierarchy for /c E N is 

fcExpTiME := IJ DTime(2^^"^) 

p polynomial 

Then Elementary := IJ^^j^ /cExpTime is the class of problems that can be solved in 
elementary time. Note that Elementary does not have complete problems because their 
existence would lead to a collapse of the hierarchy which is not the case. 

Definition 2.11. An alternating Turing Machine is a tuple A4 = {Q,Ti,T,qQ,6,qacc,Qrej) 
s.t. its state set Q is partitioned into existential states Q^, universal states Qv and the 
halting states {qaccQrej}- The starting state qq is either existential or universal. The input 
alphabet E is a subset of the tape alphabet T containing a special blank symbol □. The 
transition relation is of type QxTxQxTx {—1, 0, +1}. 

Ai is called /(n)-space bounded for some function f{n) if it never uses more than f{n) 
many tape cells in a computation on a word of length n. A configuration of such an A1 is a 
triple C G Q X {0, . . . , /(n) — 1} x F-'^^") representing the current state, the position of the 
tape head and the content of the tape. The starting configuration is Co := (^O) 0, wD . . . □). 
A configuration (q, i, v) is called 

• existential if q (z Q3, 

• universal if (7 G Q\f, 

• accepting if g = qacc, 

• rejecting if q = q^ej- 

The computation of on w is a tree whose root is Co s.t. an existential configuration 
has exactly one successor configuration in the tree, all possible successor configurations of a 
universal configurations are present in the tree, and leaves are exactly those configurations 
that are accepting or rejecting. The successor relation on configurations is the usual one 
built on the transition relation 6. 

W.l.o.g. we can assume that every path of any computation tree of Ai on any w will 
eventually reach an accepting or rejecting configuration. I.e. computation trees are always 
finite. This can be achieved for example by running an additional clock which causes a 
transition to the rejecting state when a configuration has been reached repeatedly. 

A computation is called accepting if all of its leaves are accepting. The machine A4 
accepts the word w G L{A4), if there is an accepting computation tree of on w. 

Let ASpace(/(n)) be the class of languages that can be recognised by an /(n)-space 
bounded alternating Turing Machine. 

yfcAExpSpace := |J ASpace(2^(")) 

p polynomial 
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There is a direct correspondence between the levels of the elementary time hierarchy and 
classes defined by alternating space-bounded Turing Machines. For all A; > 1 we have 
A;ExpTime = (k — l)AExpSpace [4J. We will make use of a related result. 

Theorem 2.12 ([4J). For every k > 1 there is a polynomial p{n) and some alternating 

2^f^^\-space bounded Turing Machine Ak s.t. L{Ak) over a binary alphabet is /cExpTime- 
hard. 

Finally, we need to introduce the class UP - a subclass of NP. UP consists of all problems 
that are solvable by a non-deterministic polynomial time bounded Turing Machine with at 
most one accepting computation. As usual, co-UP denotes the complement of UP. Later 
we will briefly mention the class UPPlco-UP. Note that UPflco-UP does not have complete 
problems either. 

3. The Upper Bound 

We will take two steps in order to obtain a /cExpTime upper bound on the model 
checking problem for HFL'^''" for every m € N. First we eliminate fixpoint constructs 
from the formula w.r.t. the underlying transition system. This results in a possibly A:-fold 
exponentially larger modal formula with A-abstractions and function applications. We then 
reduce the model checking problem for such formulas to the reachability game problem in 
graphs of roughly the same size. 

The combination of the elimination step and the reduction step is necessary to achieve 
the A:ExpTime upper bound. It would be easy to eliminate the A-calculus part from a 
fixpoint-free formula using /^-reduction. However, the best known upper bounds on the 
number of reduction steps in the simply typed A-calculus are approximately of the order 
^k+i [21] which would only yield a {2k + 1)ExpTime upper bound. 

The reason for avoiding the additional k + 1 exponents is that /^-reduction is a purely 
syntactical procedure. We incorporate semantics into these reachability games by evaluating 
A-bound variables to real functions of finite domain and co-domain rather than unwinding 
the entire syntactical definition of that function as a program in the simply typed A-calculus. 
Note that such a function can be represented by more than one A-term. Whereas equivalence 
of fixpoint-free HFL formulas is difficult to decide - in fact, it is undecidable in general and 
might require /3-reduction on a fixed transition system - it is easy to decide for unique 
semantical representations of these functions. 

On the other hand, extending the reachability games to games that capture full HFL 
formulas including fixpoint quantifiers and variables is not easy either, see the example after 
the definition of the games below. 

3.1. Fixpoint Elimination. 

Lemma 3.1. For all HFL types r and all transition systems T with n states we have: 

I [ ^ ^n-{mar{T)+ord{T)y'^(^'> 
- '^ord{T)+l 

Proof. We prove this by induction on the structure of r. Note that there are 2" many 
different elements of type Pr, and ord{Pr) = = mar(Pr) which immediately yields the 
base case. 
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For the other cases let r = ri — > . . . ^ — >^ Pr. With uncurrying it is easy to regard 
this as a function that takes m arguments of corresponding type and dehvers something of 
type Pr. Then we have 



\T\ = \Tl 



^ ^ ^n-(mar(ri)+ord(ri))'"-'i(-'i^ 
_ 2 i=l 

^ " 2n-{mar{ri) + ord{r)-l)°'-'^(^)-l 

< 2 *=i 

,2"-("""-(^)+<"-'*(^)-l)°'''^^^^"Sm 
— 2 ^ orrf(T) ' 

n.(mar(T) + orf(r)-l)°''<'('^)-l 



2" 



.2 ora(Tj — 1 



< 2'' 



< 2 



2n-m-(mar(r) + or<i(r)-l)<"'''('^)-l 
J. 2 or(i(T)-l 

2n-{mar{T) + ord{T)-l)<"'''('^) 



= 2" °'-''(^) 

„7x-{mar{T) + orci{T)-l)°'"''(^)+logi 
,n-((mar(T)+or<i(T)-l)'"'''('^) + l) 



< 2 '"■''(•^) 



< 2 '"■'^(^) 

_ „n-(mar(T)+ord(r))°'''*('^) 



by the hypothesis 
because of ord{Ti) < ord{T) — 1 
because of mariji) < mar{T) 

because of ord{T) > 1 

because of m < mar{T), ord{T) > 1 
because of ord{T) > 1 
because of ord{T) > 1 



■'ord(T)+l 

which proves the claim. 



□ 



Let types{k,m) := {r | ord{T) < k,mar{T) < m} denote the set of types of restricted 
order and maximal arity. As mentioned above we have \ types {0,0)\ = 1, and \types{k,0)\ = 
\types(0,m)\ = for any k,m>l. 

Lemma 3.2. For all k > 1 and m > 1 we have \types{k,m)\ < m!^'^"^'' ^\ 

Proof. By induction on k. First consider the case of /c = 1. All types of order 1 and maximal 
arity m are of the form 

r := Pr^...^Pr^Pr 

V 

i times 

with \ < i < m. Clearly, their number is bounded by m = m^ '^™"). 

Now consider any k > 1. Remember that any HFL type is isomorphic to one of the form 
T = Ti ^ Tj ^ Pr. Note that ord{Tj) < ordij) for all j = 1, . . . and 1 < i < m. 

Then we have 

m 

\types{k,m)\ = ^\types{k - < m ■ \types{k - l,m)r < m ■ {m^''-^^'"'"^ 

1=1 
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using the hypothesis for k — 1. □ 

Lemma 3.3. For any k > 1 and any m > 1 there are at most rn'^i'^'' ^) . 2^^^+™') many 
different functions f of type t with ord{T) < k and mar{T) < m over a transition system 
with n states. 

Proof. Immediately from Lemmas 13.11 and 13.21 □ 

Definition 3.4. Let r be any HFL type. We write /i(t) for the height of the lattice [t]"^ 
over a fixed transition system T. It is the length of a maximal chain 

/O Cr fl Cr /2 • • • 

of elements that are properly increasing w.r.t. C^. In general this is an ordinal number, but 
if |T| < cx) then /i(t) € N for all HFL types r. 

Lemma 3.5. For all HFL types r and all transition systems T with n states we have: 

h{T) < (n + i)(2;;^;j^^("^+'"''^(")"^)°'''*"'"V'"~^"^- 

Proof. First consider the case of ord{T) = 0. Then r = Pr, and it is well-known that the 

power set lattice of n elements has height n + 1 = (n + 1) • (2q^'^^'^ )^ . 

Now suppose ord{T) > and r = ti — > . . . ^ Tm, ^ Pr for some m > 1. Let 

N := (2"^^^^'-^^^'"^'^^^^ '^marir) ^ According to Lemma [3. II there are at most many 

different tuples x S [ti]-^ x . . . x [[rm]'^ because ord{Ti) < ord{T) — 1 for all i = 1, . . . , m. 

Using uncurrying we can regard each / S [r]-^ as a function that maps each such x to 
an element of Pr. Now suppose the claim is wrong. Then there is a chain 

/O Cr fl Cr fl Cr • • • Cr f[n+l)N+l 

of functions of type r. Since each one is strictly greater than the preceeding one there is a 
sequence Xi of tuples s.t. for i = 0, . . . , (n + 1)A^ we have fi Xi C /j+i Xi. But remember 
that there are only tuples altogether. By the pidgeon hole principle, one of them must 
occur at least (n + 1) + 1 many times. Thus, there are < zi < . . . < in+2 1^ (n + 1)N + 1 
s.t. Xi-^ = Xi^ = . . . = 2;i„_,_2- Let x simply denote this element. 
By transitivity of the partial order C-^ we then have 

fil ^ $: fi2 ^ Si • • • £ fin + 2 ^ 

which contradicts the fact that the height of Pr is only n + 1. Hence, the height of r must 
be bounded by (n + 1)A^. □ 

Definition 3.6. Let ^X.ip be an HFL formula of type r = ri —> Pr. We define 

finite approximants of this fixpoint formula for all a G N as follows: 

:= A(Zi :r{')...A(Z^ :TO).ff , /x^+^X.^j := ^[fi'^X.^/X] 
The next result is an immediate consequence of the Knaster-Tarski theorem [27] . 



Lemma 3.7. Let T be a transition system with state set S s.t. \S\ < 00. For all HFL 
formulas fi{X : T).if and all environments p we have: lfJ.{X : T).(fjJ = Ifj,^^'^^ X .ipjj . 

The following lemma concerns the size of formulas after fixpoint elimination. 
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Lemma 3.8. Let T be a finite transition system with n states, k,m > 1. For every closed 
HFL'^'"^ formula (p there is a fixpoint-free and closed (p' G HFL'^'™ s.t. {ipj'^ = If'j'^, 
v{ip') < v{ip)+m, and \ip'\ < \ip\ • (n + 1)1^1 • (2^("^+'=-i)''"')™-l¥'l. 

Proof. First we prove the existence of such a ip' by induction on the number / of different 
fixpoint subformulas of ip. If this is then simply take p>' := p). 

Suppose / > 0. Then contains at least one subformula \x{X : T).ip of some type r s.t. 
Ip is fixpoint-free. According to Lemma 13.71 this fi{X : t).iI> is equivalent to n^^'^^X.tp over 
T. Furthermore, ^^^'^"^X.ip is fixpoint-free. Let p)" := plu^^'^^ X .ip / fj,{X : r).?/^]. Since p" 
contains less fixpoint subformulas as p we can use the induction hypothesis to obtain a p' 
that is equivalent to p" over T. Lemma [3. 71 shows that p" is equivalent to p over T, hence 
we have [v]'^ = [v'l'^- Note that fixpoint elimination does not create free variables, i.e. p' 
is also closed. 

What remains to be shown are the corresponding bounds on the size and number of 
variables of p' . First consider v{p'). The only A-bound variables in p' are those that 
are already A-bound in p plus at most m variables for subformulas of the form fi^X.ip = 
AZi . . . AZm'.ff for some m' < m. Note that the approximants reuse A-bound variables 
which is semantically sound because the value of an i-th approximant as a function cannot 
depend on an argument of the j-th approximant for some j ^ i. The only free variables in 
each approximant should be those that are free in : T).'tlj already. 

Finally, let N := (n + l'^(^2^^"^~^^ )™. We show by induction on the number / of 
fixpoint subformulas in p that the size of p' is bounded by (A'^ -|- 1)-^ • \p\. It should be clear 
that this implies the claim of the lemma. 

This is clearly true for / = 0. Now let / > 0, and first consider the formula p" = 
pIu'^^'^^ X .ip / fi{X : t).iP] as constructed above. Note that ord{T) < k, and mar{T) < m, 
and, according to Lemma 13.51 /i(r) < A^. Therefore, we can estimate the size of the 
approximant that replaces the fixpoint formula as \fj.^^'^^X.ip\ < N ■ \ip\ + m -\- 1. This is 
because the size of the 0-th approximant is m-|- 1 and the size of the {i + l)-st is always \ip\ 
plus the size of the i-th. Then we have 

\p"\ = |(^|_|^|+Ar.|^|+TO-M = \p\+{N-l)-\^\+m+l < N-\p\+m,+l < {N+l)-\p\ 

because the size of a formula p must be strictly greater than the maximal arity of any of 
its subformulas. Now the number of fixpoint formulas in p)" is / — 1. By the induction 
hypothesis we obtain 

\p'\ < {N + iy-'' ■\p"\ < {N + ly-"" ■ {N + 1) ■ \p\ = {N+iy-\p\ 

for the size of the formula p' without any fixpoint subformulas. □ 
3.2. Reachability Games. 

Definition 3.9. A reachability game between players 3 and V is a pointed and directed 
graph Q = (V3, Vy, E, vq, W3, Wy) with node set F := U U W3 U W\/ for some mutually 
disjoint Vy, VKv) edge relation E C (V3 U V\/) x V and designated starting node 
vq € V. Define \Q\ := \E\ as the size of the game. 

The sets V3 and V\/ contain those nodes in which player 3, resp. player V makes a choice. 
The sets W3 and W\/ are terminal nodes in which player 3, resp. player V wins. We therefore 
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require that only nodes in W3 or W\/ are terminal, i.e. for all v €V \ {W3 U W\/) there is a 
w & V with {v, w) E E. 

A play is a sequence vo,vi, . . . starting in vq and constructed as follows. If the play has 
visited nodes vq, . . . ,Vi for some z G N and Vi G Vp for some p S {3, V} then player p chooses 
a node w s.t. {vi,w) G and vi^i := w. 

A play Vq, . . . ,Vn is won by player piivn G VFp. A reachability game is called determined 
if every play has a unique winner. Given the prerequisite R W\/ = 0, determinacy of a 
reachability game simply means that infinite plays are not possible. 

A strategjH for player p is a function a : Vp ^ V. A play vq, . . . ,Vn conforms to a 
strategy a for player p if for alH = 0, . . . , n — 1 with Vi G Vp: u j+i = cr{vi). Such a strategy 
a is called winning strategy if player p wins every play that conforms to a. 

The problem of solving a determined reachability game is: given such a game Q, decide 
whether or not player 3 has a winning strategy for Q. 

It is well-known that reachability games can be solved in linear time using dynamic 
programming for instance [30]. 

Theorem 3.10. Solving a reachability game Q can he done in time 0{\Q\). 

3.3. Model Checking Games for Fixpoint-Free HFL. In this section we define reach- 
ability games that capture exactly the satisfaction relation for fixpoint-free HFL formulas. 

Let (pQ be a closed and fixpoint-free HFL formula of type Pr and T = (5, {-^ | a G 
A},L) a labeled transition system with a designated starting state sq G S. The game 
Gt[sq, if^) is played between players 3 and V in order to determine whether or not T, sq \= ipQ 
holds. A configuration of the game is written 

s,/i,...,/fc,??^ V' 

s.t. £ FL{ipo) is of some type ti ^ . . . ^ ^ Pr, s G 5, and fi G [tj]-^ for all 
i = 1, . . . ,k. Note that /c = is possible. Finally, r/ is a (partial) finite map that assigns an 
element / G fr}'^ to each free variable X of type r in ^/^ . 

The intended meaning of such a configuration is: player 3 tries to show s G /i • • • /n 
whereas player V tries to show the opposite. Since the semantics of formulas is defined 
recursively, the play usually proceeds from one such configuration to another containing a 
direct subformula. For instance, if the formula in the current configuration is a disjunction 
then player 3 chooses one of the disjuncts because disjunctions are easy to prove but hard 
to refute in this way. Consequently, player V performs a choice on conjunctions (negated 
disjunctions). A similar argument applies to configurations with modal operators. In case 
of function application we employ a small protocol of choices between these two players 
which simply reflects the semantics of function application in higher-order logic, etc. 

A play of Gt{so,^o) is a finite sequence Co,Ci,... of configurations constructed as 
follows. Co := so,rjQ h ipo where r/o is undefined on all arguments. 

If Co, . . . , Cn-i have already been constructed, then C„ is obtained by case distinction 
on Cn-l- 

(1) If Cn-i = s , rj \- Tpi V ■ip2 then player 3 chooses an i £ {1, 2} and C„ := s,rj \- V'j. 

(2) If Cn-i = s,r] \ ^(V'l V^2) then player V chooses an i G {1, 2} and Cn := s, r/ 1 'ipi. 



Here we restrict ourselves to memory-less strategies which are well-known to suffice for reachability 
games. 
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(3) If Cn~i = s, r/ h {a)^p then player 3 chooses a t £ S s.t. s t and C„ := t,rj \- ip. 

(4) If Cn-i = s,r]\ — '{a)ip then player V chooses at £ S s.t. s t and C„ := t, I — 'ip. 

(5) If C„_i = s,/i, . . . ,/fc,r? h ^^V' then C„ := s,/i, . . . , fk,r] h ^p. 

(6) If C„_i = s, fi, . . . , fk,rj \- (f ip and -0 is of type a then player 3 chooses a g £ 
Next player V has two options. 

• He either continues with Cn := s, g, fi, . . . , fk,r] \~ (f- 

• Or let o" = o"! — >■ . . . — > am — ^ Pr. Player V chooses values hi G {cif^ for 
i = 1, . . . ,m, and either 

— selects at £ g hi . . . hm, and the play continues with t,hi, . . . , hm, ^? l~ V'j 
or 

— selects at ^ g hi . . . hm, and the play continues with t,hi, . . . , hm,!! I — 'tp. 

(7) If Cn-i = s, fi, . . . , fk,r] h V) aiid V is of type a then player 3 chooses a 
5 S 1^1 "^^ Next player V has two options. 

• He either continues with Cn '■= s, g, fi, . . . , fk,r] I — '^p- 

• Or let o" = o"! ^ . . . — > am Pr. Player V chooses values hi € for 
i = 1, . . . ,m, and either 

— selects at £ g hi . . . hm, and the play continues with t,hi, . . . , hm, V ^ 
or 

— selects at ^ g hi . . . hm, and the play continues with t,hi, . . . , hm,"!] I — '4'- 

(8) If Cn~i = s,fi,...,fk,rjh XX.ip then C„ := s,f2,..., fk,v[^ ^ /i] ^ ^• 

(9) If Cn-i = s,fi,...,fk,rjh ^XX.^ then C„ := s,/2, . . .,fk,r][X ^ fi] h ^^/;. 

The game rules ([5]), ([8]) and ([9]) are deterministic. Neither player has to make a real choice 
there. 

A play Co, Ci, . . . , C„ is won by player 3, if 

(1) Cn = 8,7] \- q and s E L{q), or 

(2) Cn = s,r] \ — 'Q and s ^((7), or 

(3) Cn = s,fi,...,fk,r]\- X and s G ?7(X) /i . . . fk, or 

(4) C„ = s,fi,...,fk,v^ -^X and s /i . . . or 

(5) C„ = s, 7? I — '{a)ip and there is no t G 5 with s t. 
Player V wins this play, if 

(6) Cn = s,r] \- q and s L{q), or 

(7) Cn = s,r? I 'Q and s G -Z^('i'), or 

(8) Cn = s,fi,..., fk,V H X and s ri{X) /i . . . /fc, or 

(9) Cn = s,fi,..., fk,r] h and s G //(X) /i . . . /fc, or 
(10) Cn = s,r] \- {a)ip and there is no t G 5 with s t. 

We remark that these games do not easily extend to formulas with fixpoint quantifiers 
and variables via the characterisation of the model checking problem for the modal 
calculus as a parity game [26]. The natural extension would add simple unfolding rules for 
fixpoint constructs which lead to infinite plays. The type of the outermost fixpoint variable 
that gets unfolded infinitely often in such a play would determine the winner. 

However, this is neither sound nor complete. Consider the formula {v{X : Pr — > 
Pr)./i(y : Pr).X Y) ff. It is equivalent to tt, hence, player 3 should have a winning 
strategy for the game on this formula and any transition system. But player V can enforce 
a play via rule ([6]) in which the outermost variable that gets unfolded infinitely often is Y 
which is of type 
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This shows that the straight-forward extension to non-fixpoint-free formulas is not 
complete. Because of the presence of negation it is also not sound. Another explanation 
for the failure of such games is given by the model checking games for FLC [T7] which 
incorporate a stack and a visibly pushdown winning condition in order to model that the 
variable X (the function) is more important than the variable Y (the argument) in the 
example above. 

Lemma 3.11. Every play of Q'r{s^ip) has a unique winner. 

Proof. All rules properly reduce the size of the formula component in a configuration. Hence, 
there are no infinite plays, and a play is finished when either one of the players cannot 
perform a choice or there is no rule that applies to the current configuration anymore. 

Note that for as long as rules still apply there are only two situations in which a player 

can get stuck: Either the current configuration is s,?? h (a)-!/; or it is s, I '{a)tp and there 

is no t € 5 s.t. s t. These cases are covered by winning conditions ([5]) and (fTO]) . 

All other rules always guarantee one player a possible choice. The only rules for which 
this is not obvious are ([6]) and ([7j). First note that |cr]'^ is non-empty for any type a. 
Hence, player 3 can always choose some g. Then let, for some arguments hi, ... , h^ chosen 
by player \l ,T := g hi . . . hm- Note that it is impossible to have T = and at the same time 
5 \ T = for as long as 5 7^ for the underlying state space S. Hence, player V cannot get 
stuck in this rule either. 

If a play finishes because no rule applies then the formula in the current configuration 
must either be atomic or a negation of an atomic formula, i.e. of one of the forms q, -ig, X, -^X 
for some g € "P, X G V. In any case, one of the winning conditions ((I|)-((4l) and ([6])-(l9]) 
applies. 

This shows that every play has at least one winner. Finally, it is not hard to see that 
the winning conditions are mutually exclusive, i.e. every play has at most one winner. □ 

Theorem 3.12. Let ipo be closed, fixpoint-free, and of type Pr. If sq S [920! then player 3 
has a winning strategy for the game Qt{so-,'^q)- 

Proof. We call a configuration C = t, fi, . . . , fk,r] h ijj of the game Qriso, fo) true if t G 
[V'l^ fi ■ ■ ■ fk- Otherwise we call C false. 

Suppose So £ [v^ol) i-e. the starting configuration so,7?o l~ of ^r(sO)'/5o) is true. 
Player 3's strategy will consist of preservering truth along a play. We will show by case 
distinction on the last rule played that player 3 can enforce a play in which every configu- 
ration is true. I.e. if a configuration that is true requires her to make a choice then she can 
choose a successor configuration which is also true. If such a configuration requires player 
V to make a choice then regardless of what he selects, the successor will always be true. 

Cases ([1]) and ([2]), the Boolean operators. If a play has reached a configuration t, 77 h i/^i V ^^2 
that is true then there is an i € {1,2} s.t. t,rj h ipi is true. Player 3 chooses this i. 
Note that player V will ultimately preserve truth if he makes a choice in a configuration 
t,?7h-(V'i VV2). 

Cases ([3]) and dH), the modal operators. Similarly, player 3 can preserve truth in a config- 
uration of the form t,rj \- {a)'ip, and player V must preserve truth in a configuration of the 
form t,rj\ '{o)ip. 
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Case ([5]), double negation. Preservation of truth is trivial. 

Case dll), positive application. Suppose the play has reached a configuration t, fi, . . . , fk,i] \- 
(p tjj that is true. Let g := {ip}'^ ■ Note that g always exists, hence, player 3 can choose it. 
By /3-equivalence we have 

which shows that truth is preserved if player V selects his first option. 

Suppose he selects his second option with arguments hi, ... , hm for g instead. Since 
g = IV'I^ we obviously have for all t G 5: t ^ g hi . . . hm iff i G ["^l^ hi . . . hm- This shows 
that truth is preserved regardless of which way player V leads. 

Case ([7]), negative application. This is the same as the case above. Note that - by the 
semantics of the negation operator - we have ^{ip ip) = {^(p) ip- 

Cases ([8]) and Q, A-abstraction. This is only an equivalence-preserving /3-reduction. Hence, 
truth is preserved. For case ([9]) remember that the complement of a function is defined 
pointwise. 

It remains to be seen that this truth-preserving strategy guarantees player 3 to win any 
play. I.e. assume that player V uses his best strategy against player 3's truth-preserving 
strategy and consider the unique play Co,...,C„ that results from playing against each 
other. By the argumentation above, we know that Cj is true for alH = 0, . . . , n. A quick 
inspection of player V's winning conditions (i6|l- (110p shows that he cannot be the winner of 
this play because all of them require the play at hand to end in a configuration that is not 
true. 

According to Lemma 13.111 player 3 wins every play in which she uses the truth- 
preserving strategy. Hence, this is a winning strategy. □ 

Theorem 3.13. Let (fo be closed, fixpoint-free, and of type Pr. If sq [^^o]"^ then player y 
has a winning strategy for the game GrisoTPo)- 

Proof. Similar to the proof of Theorem 13.121 The starting configuration of Gt{soi'^q) is 
false. An analysis of the game rules shows that player V can preserve falsity with his 
choices, and player 3 must preserve falsity. 

This is shown for rules ([T|), ([2]), ([3]), dU and ([5]) in the same way as above in the proof 
of Thm. [3TT2l Here we only consider the case ([6]). The case of rule ([7|) is shown analogously. 

Suppose the current configuration is s, fi, fk,r] \- ip i/j, s.t. V' has type a and player 
3 has chosen some g G [o"]'^. We need to distinguish two subcases. 

If s ^ Ivl^ 9 fi ■ ■ ■ fk then player V can easily preserve falsity by choosing the successor 
configuration s, 5, /i, . . . , /fc, r/ h 

If s G Ipj'^ g fi ■ ■ ■ fk then we must have g 7^0- l?/']^ for equality would, by (3- 
equivalence, contradict the assumption that the current configuration is false. Remember 
that 7^0- is inequality w.r.t. the pointwise order C^.. Now suppose a = ui ^ . . . Um — > Pr. 
Hence, there must be hi G for i = 1, . . . , m s.t. g hi . . . hm 7^ hi . . . hm- First 

of all, player V can choose these arguments hi, ... , hm- Next, let T := ^1 . . . hm and 
T' := 1^]^ hi... hm- Note that T,T' C S- Hence, T 7^ T' means T ^ T' or T' ^ T. 

In the first case there is a t € g hi . . . hm s.t. t ^ {ip}'^ hi . . . hm- Player V can choose 
this t and continue with the configuration t,hi, . . . , hm,rj h ^l> which is false. 
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In the second case note that T' <^ T iS S \ T ^ S \ T'. Hence, there is a t ^ g hi . . . hm 
s.t. t ^ S \ (IV'I^ hi . . . hm)- Again, player V can choose this t and continue with the false 
configuration t,hi, . . . , hm, rj I 'ip. 

The proof is finished just like the proof of Thm. 13.121 With this strategy, player V can 
always enforce a play that ends in a false configuration, but player 3 can only win plays 
that end in true configurations. □ 

Putting these two theorems together shows that these games correctly characterise the 
satisfaction relation for fixpoint-free HFL. 

Corollary 3.14. For all transition systems T all of their states s, and all fixpoint-free HFL 
formulas ip of type Pr we have: T,s \= iff player 3 wins the game Q'x(s,ip). 

Lemma 3.15. For any k,m >1, any T = (5, {-^ | a E A},L) with \S\ = n, any s € 5, 

and any is a reachability game of size at most 

Proof. It should be clear from the definition of the game that QT{s,ip) can indeed be re- 
garded as a reachabihty game (V3, Vy, vq, W3, Wy). Its node set F := V3 U Vy U W3 U W\f 
consists of all possible configurations in Qt(s,p) plus auxiliary configurations that repre- 
sent the choices done by either player in rules ^ and d?]) which require an alternating 
sequence of choices of fixed depth 3. However, this can at most double the number of nodes 
in comparison to the number of configurations. 

The starting node vq is the starting configuration s,rj h ip for an everywhere undefined 
rj. The partition of the nodes is given by the definition of the game rules and winning 
conditions above: V3, resp. Vy are all those configurations that require player 3, resp. V 
to make a choice ~ including the auxiliary configurations for the choices in between rules. 
The edges of the game are simply given by the game rules. W^, resp. Wy are all those 
configurations that end a play according to one of the winning conditions. Lemma 13.111 
shows that these games are determined. 

What remains to be seen is that the size of Qt-{s,p) is bounded accordingly. There 
are at most n different states t G S, and at most \p}\ many formulas ip S FL{p). The 
maximal width of a configuration, the parameter m' in t, /i, ...,/„/, 77 \- \s bounded 
by m since here ip has a type of arity m'. According to Lemma 13.31 there are at most 
^{k-i)m'' '^2^^ i+m) jxiany different functions fi of type order k — 1. None of these can 
be of type order k because they only occur as arguments to formulas of strictly higher order. 
We simply define tt^C^-i)™- ;= m if A: = 1 rather than introducing max-operators in these 
terms. 

Finally, we need to estimate the number of different environments r/. These map at 
most each A-bound variable X of type t va. p to an element of [t]-^. Again, if X occurs 
bound in p, then there is a XX.ip € FL{p) of type a, and we have ord{a) > ord{T) + 1. 
Hence, there are at most m^^"^^™'' ^2^^^ i+m)' t^qjij possible values for each such X, 

and thus at most (rn^^"^^™'* ^2^^^^ i+m) yiv) jjiany different environments ry. 
Putting this together we obtain 
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as an upper bound on the number of nodes in Gt{s, (/?). The number of edges in this directed 
graph can of course be at most quadratic in the number of nodes which finishes the proof. □ 



3.4. The Model Checking Complexity. 

Theorem 3.16. The model checking problem on a transition system T of size n and an 
jjpLfc.m for^uig^ ^ can he solved in time 20iM'=-^og[n-M)) ,^2l^rn+k-i)>'-^ ■^0{\v\^) k^m> 

1. 

Proof. Let S be the state space of T, n := \S\, and (p € HFL'^'"^ for some k,m > 1 he 
closed. According to Lemma 13.81 there is a fixpoint-free (p' s.t. 

. \ip'\ < \ip\ ■ (n + 1)1^1 • (2^("^+'=-i)'~>-lv'l, and 

• for all s S 5 we have T,s\=(piST,s\= ip' . 
Now take any s G 5. Consider the reachability game Q'r{s,ip'). According to Lemma 13.151 
its size is at most 

by replacing \ip'\ according to Lemma 13.81 This can be approximated from above by 

4 . (n + l)2|v'l+2 . |(^|3|<p|'=+2 . ^2'^{m+k~l)'^-^-^2M''+6\<p\ 

because \ip\ is an upper bound on m, k and v{ip). By Cor. 13.1^ we have T,s \= ip' iff player 
3 has a winning strategy for Qq-{s,(p'). And by Thm. [3TT0] the asymptotic time needed to 
solve this game equals its size. □ 

Corollary 3.17. For any k,m>l the HFL'^''" model checking problem is in A;ExpTiME. 

Corollary 3.18. For any k,m > 1 the model checking problem for HFL'^'™' on a fixed 
transition system is in ExpTime. 

Proof. If k, m and n are fixed constants then so is 2^^^ ^ Hence, model checking in 

this case can be done in time 2C(lvP+lv'l'= iog l./'l)^ □ 



4. The Lower Bound 

We will show that the upper bound in Cor. 13.171 is optimal by reducing the word problem 
for alternating space bounded Turing Machines to the model checking problem for HFL. 
Let Fo{p{n)) := 2^^'^^ and Ffc+i(p(n)) := 2'p^"'^'^'^^p^'^^'> for any polynomial p(n). A simple 

induction shows Fk{p{n)) > 2^^] for all k,n £N. Clearly, the space used by a 2^^"^-space 
bounded Turing Machine is also bounded by Fk-i{p{n)) for k > 1. This slight shift in 
indices makes the encoding of large numbers in the next section easier. On the other hand, 
it only allows us to consider alternating 2^^"^-space bounded Turing Machines when k>l. 
Hence, we will only obtain A;ExpTiME-hardness results for k > 2. Fortunately, the results 
for the HFL^'"* fragments follow from known lower bounds for FLC |18j . 
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Figure 3: Encoding large numbers as lexicographically ordered functions. 



4.1. Representing Large Numbers in HFL. Let tq := Pr and Tk+i ■= T}^ — Pr for all 

A; G N. Note that on a transition system of exactly p{n) states we have jr^l = Fk{p{n)) for 
all G N. In order to model the position of the head and the sequence of the cells of a 
tape of size Fk{p{n)) we therefore use a transition system T with p{n) many states, and an 
encoding of the natural numbers {0, . . . , Fk{p{n)) — 1} via HFL functionqj of type over 
T. This is done by induction on k. Let n and the polynomial p{n) be fixed. 

For /c = we assume that T contains p{n) many states called 0, . . . ■,p{n) — 1. A number 
i between and Fo(p(n)) — 1 is now represented by the subset Si = {j \ the j-th bit of i is 
1} which has type tq. Let for z G {0, . . . ,Fo(p(n)) — 1} denote the function of type tq 
that represents the natural number i in this way. 

Now let A; > 0. By assumption there are HFL functions ||0||^~"'^, . . . , \Fj^^i{p{n)) — if''^^ 
of type Tfc_i that represent the numbers 0, . . . ,i<fc_i(p(n)) — 1. Clearly, these are linearly 
ordered by the standard ordering on the numbers that they represent. We now need to find a 
representation of the numbers 0, . . . , Fk{p{n)) — 1 via HFL functions of type = t^-i — > Pr. 

These functions have a finite and linearly ordered domain as well as co-domain. Hence, 
we can regard them as lexicographically ordered words of length Fk_i{p{n)) over the alpha- 
bet {||0||'^, . . . , ||Fo(p(n)) — If*^}, or simply as base-Fo(p(n)) numerals with Fk^i{p{n)) digits. 
Now simply is the i-th function in this lexicographic ordering as depicted in Fig. [3j 
The leftmost column contains the symbolic name for the i-th function in that ordering. 
The upper row contains the ordered list of all possible arguments x for any such while 
the entries below denote the values x. 



We will also use the term "function" for an object of type ro which is a set strictly speaking, hence, a 
function of order 0. 
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Figure 4: The transition system Tj^^y^ for p{n) = 4. 



4.2. The Reduction. For the remainder of this section we fix an alternating Fk{p{n))- 
space bounded Turing Machine M. = {Q, S, F, qo, 6, qaccQrej) and an input word w of length 
n. W.l.o.g. we assume p{n) > n for all n € N. According to Thm. [2TT2] we can also assume 
S = F and |F| = 2. 

Of course, symbols are just purely syntactic objects. However, later we need to encode 
these two symbols as propositions in transition systems, and we will use the propositions tt 
and ff to do so. Hence, we can simplify notation slightly by assuming F = {tt,ff} as two 
different alphabet letters with no attached meaning. W.l.o.g. we assume that the special 
blank symbol □ is encoded by a sequence of the symbol ff of some suitable length. 

The goal is to construct a transition system Tm^^ and an HFL'^"''^ formula ^ both 

of polynomial size, s.t. Tm,w,s \= ^„ iS w G L{A4) for some state s. The types of 
the subformulas of <I>^ ^ that we present in the following can easily be inferred. We will 
therefore omit type annotations. 

We begin with the construction of the transition system. Let V := 0, i.e. no state of 
Tj^,w carries a label. There are two modal accessibility relations with labels lower and test. 

Let Ta/(,«, = (5, { > , -^^^}, L) where 5 = {0, . . . ,p{n) — 1}, and L maps every state 
to the empty set. The /ower-relation simply resembles the less-than-relation on natural 
numbers: i > j iff j < i_ xhe tesi-relation forms a clique: i ^^^^ > j for all i,j S S. It is 

used to form global statements. Note that for all states and all formulas ip: i\= \test\'il) 
iff j \= [test]il). Fig. m depicts Ta^^^^ for p{n) = 4. The transitions above the states are the 

-^^^^^^^-relation. Consequently, they only lead from the left to the right. The transitions 
below the states are the > -relation. 

For the remainder of this section we fix Tj^^^ as the transition system over which 
formulas are interpreted and write [•] instead of [-J-^'™. 

Remember that any function of type tq represents a number in binary coding over Tj^^^: 
IKir — {j I the j-th. bit of i is 1}. Furthermore, the transitions in T_m,w allow a bit to assess 
the values of all lower bits. The HFL^'^ formula 

inc^ := XX.X ^ {lower)-iX 

models the increment among the number representations ||0||'^, . . . , ||i<o(p(n)) — Incre- 
ment of a binary counter sets a bit of the input to if itself and all lower bits are 1. A bit 
is set to 1 if it currently is and all lower bits are 1. A bit is preserved if a lower- valued 
bit is unset. Applied to ||i<o(p(n)) — this yields ||0||'^ again. Similarly, we can model the 
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decrement among these values as 

dec° := XX.X ^ {lower)X 



Lemma 4.1. For all i G {0, . . . , Fo{p{n)) — 1} we have: 

a) |mc°l ||i||° = \\i + l mod Fo(j9(n))||°, 

b) [dec°] = mod Fo(p(n))||0. 



Proof. We will only show part (a) since part (b) is entirely analogous. Take any i G 
{0, . . . , FQ{p{n))} and let m := p{n) — 1 = (log Fo(p(n))) — 1. Furthermore, let b„i . . .bo € 
{0, 1}™+^ be the binary representation of the number i. According to the encoding described 
in the previous section, we have = {j | bj = 1}. 

Now take any state j and suppose j € |mc'^] The body of the A-abstracted 

formula inc" is a bi-implication which can be seen as an abbreviation of a disjunction of 
two conjunctions. Hence, there are two possibilities. 

• Either j \= X A (lower) -iX with X interpreted as ||z||'^. This means that bit j is set 
in i and there is a lower bit that is not set in i. Hence, bit j is also set in z + 1 
mod Fo{p{n)). 

• Or J 1= -iX A [lowerjX under the same interpretation of X. Then the j-th bit is the 
lowest bit which is unset in i. Hence, it gets set in z + 1 mod Fo{p{n)). 

This shows that only those bits are included in the increment process that should be in- 
cluded. The converse direction - all necessary bits are included - is shown in the same way 
by case analysis. Suppose j fine"! lil", i.e. j ^ X ^ (lower)-'X with X interpreted by 

• Either j \= X A [lower]X. Then the j-th bit is among all those least bits that are 
set in i. Hence, it gets unset in i + 1 mod FQ{p(n)). 

• Or j 1= -iX A (lower)^X. Then the j-th bit is not set in i, but there is a lower 
bit that is not set either. Hence, it preserves its value and remains unset in i + 1 
mod Fo(p(n)). 



In order to define the increment and decrement of numbers j|i|j in lexicographic ordering 
for some k > Owe need to have equality, less-than and greater-than tests on lower types Tk-i- 
They can be implemented as functions of type t^-i t^-i Pr. Equality simply makes 
use of the fact that two numbers are equal iff they have the same binary representation. 



The other comparing functions need to access single bits. Remember that i < j iff there is 
a bit that is unset in i and set in j s.t. i and j agree on all higher bits. We therefore first 
define formulas biti for z = 0, . . . ,p{n) — 1 s.t. biti axiomatises the state i, i.e. j |= biti iff 
i = j. This can be done recursively as 



□ 



eg" := \I.XJ.[test]{I ^ J) 



bito := [lower]ff , biti+i 



= (lower) biti A [lower 




j<i 



Note that I biti 



O(z^) only. 



p{n)-l 




k=0 



h>k 
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gt^ := \I.XJ.{lt° J I) 
Lemma 4.2. For all i,j G {0, . . . ,FQ{p{n)) — 1} we have: 



b) llt'^j 

c) igt'j 



it 


ifi=j 




o.w. 




ifi<j 




o.w. 


It: 


ifi>j 




o.w. 



Proof, (a) The binary representation of a number is unique. Hence, i = j iS = iff 

for all s G 5: s G ■<4> s G The rest follows from the fact that [test]{I J) either 
holds in all states or in none of S. 

(b) Similarly, we have i < j iff there is a bit that is unset in jif but set in and 
\\if and agree on all higher bits. Again, each disjunct of the form [test] ... is satisfied 
by either all or no states, and so is the entire disjunction. 

(c) Follows directly from (b). □ 

We will call an HFL formula ip of some type ai ^ . . . ^ am Pr 2-valued iff for all 
xi G |(Ti], . . . , G [dm] we havc li}\xi...Xm = S or {ip} xi...Xm = 0- For example, eq°, 
It^, and gt^ arc 2-valucd. Such functions will be used to model predicates, i.e. functions 
whose return value should be either true or false. 

Before we can extend the incrementation and decrementation functions to types for 
some A; > we need to define some auxiliary functions and macros. 

For HFL formulas /?, ■^i, ■02 of type Pr let 

if /? then V'l else V'2 := (/? A -^i) V (-.^ A ^2) 
Note that if |/?] is either <S or then we have 



|if (3 then ipi else 



HV^il, if 1/31 =5 
\M, if 1/31=0 

For any G N we can easily define formulas min^ and max'' that encode the minimal and 
maximal element in the range of 0, ... , Fk{p{n)) — 1. 

mivP := ff m,ax^ := tt 

min'^'^^ := XX.mivP max''^^ := XX.max^ 

We will define by simultaneous induction on A; the following formulas. 
• exists'' : (r^ —>■ Pr) — > Pr 
It takes a predicate P on the number representations ||0p, . . . , \\Fk{p{n)) — l)p and 
decides whether or not there is an i s.t. P holds. If P is 2-valued then so is 
exists''. It is defined as 

exists'' := AP. ((/xZ.AX(P X) V Z [inc'' X)) miv!'^ 



THE COMPLEXITY OF MODEL CHECKING HFL 



23 



• forall'' : (r^ ^ Pr) ^ Pr 

Similarly, this function checks whether P holds for all such i. 

forall'' := XP.^ {{exists'') (-P)) 

• eq'' : Tfc -> Tfc Pr 

This is a 2-valued function which decides whether two given representations from 
||0p, . . . , \\Fif{p{n)) — Ip encode the same number. Note that for k = this has 
already been defined above. 

eq'' := Xl.XJ.forall''-^ {XX.eq^ {IX) {J X)) 

• It'' : Tfc ^ Tfc ^ Pr 

This 2-valued function decides for two number representations whether the less- 
than-rclationship holds between the two encoded numbers. Again, the case of A; = 

has been dealt with above. 

It'' := Xl.XJ.exists''-^ (^XX.{lt° {I X) {J X)) A 

forall''-^ (^XY.{gt''~^ X Y) ^ (eg° (/ X) (J F))) j 

• gt'' : Tfe ^ Tfc ^ Pr 

Using the last one we can easily decide for two number representations whether the 
greater-than-relationship holds between the two encoded numbers. 

gt'' := XI.XJ.{lt'' J I) 

• inc'' -.Tk^Tk 

This function models increment in the range of 0, . . . , Ffe(p(n)) — 1 for A; > 0. 

inc'' := Xl.XX.if exists''''^ {XY.{lt''-^ Y X) A ^(e?° (J Y) max^)) 

then / X else inc° {I X) 

Incrementation is done in the same way as with the binary represenation in the case 
of = above: inc'' applied to ||?'||'^ yields the fTinction that agrees with on all 
arguments for which there is a smaller one whose value is not maximal, i.e. still less 
than Fo{p{n)) — 1. If all smaller arguments including itself have already reached 
the maximal value then they are reset to the minimal, i.e. ||0||°. Note that inc^ also 
models the increment modulo FQ{p{n)). 

• dec'' -.Tk^Tk 

Similarly, this models decrement in the range of 0, ... , Fk{p{n)) — 1 for A; > 0. 

dec'' := XI.XXAf exists'''^ {XY.{lt''-^ Y X) A ^{eq^ {I Y) mm°)) 

then I X else dec^ {I X) 

These definitions are well-defined. For A; > 0, inc'' and dec'' need It''^^, and exists''~^. The 
latter only needs inc''~^. The former needs exists'''^ and forall''~^, etc. 

Remark 4.3. For all A; G N we have: 
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ord{exists^) = ord{forall^) = k + 2 

ord{eq^) = ord{lt^) = ord{gt^) = k + l 

ord{inc^) = ord{dec^) = k + l 

mar{exists^) = mar{forall^) = 1 

mar{eq^) = mar{lt'^) = mar{gt^) = 2 

mar{inc^) = mar{dec'^) = 2 

The following lemmas provide exact specifications for the functions above and prove that 
their implementations comply to these specifications. They are all proved by simultaneous 
induction on k. 

Lemma 4.4. For any function ip of type — > Pr s.t. is two-valued we have: 

is, z/ 3^ G {0, . . . , Ffc(p(n)) - 1} s.t. M \\i\\'' = S 



a) {exists VI 



b) Iforall'' 



W, o.w. 

'S, ifyt£{0,...,Fk{p{n))-l} s.t. mWif 
0, o.w. 



Proof. We will only prove part (a), since (b) follows from it by simple propositional reason- 
ing. Note that for any formula ^ we have 

exists^ il) = \/ p {inc^ {inc^ {. . . {inc^ min^) . . .))) 

^^'^ i times 

by fixpoint unfolding. The rest follows from the correctness Lemmas 14.11 and 14.61 for inc^ 
and the fact that p is assumed to be 2-valued. Clearly, the disjunction over disjuncts that 
all are either true or false is also either true or false. □ 

Lemma 4.5. For all k > and i,j E {0, . . . ,Fk{p{n)) — 1} we have: 
a) leq'j \\if \\jf = 



b) lit''} \\i 



\k 




c) Igt'} \\if m'' = 

Proof, (a) This follows immediately from the definition of eg^ and Lemmas 14.41 and 14.21 
Note that i = j iS they encode the same functions according to the representation of the 
previous section. Function equality, however, can easily be tested using the forall macro to 
iterate through all possible arguments and the eq^ function to compare the corresponding 
values. 

(b) We have i < j iS\\i\\^ is lexicographically smaller than according to the encoding 
of the previous section. Now this is the case iff there is an argument x s.t. the value of \\i\\'' 
on X is smaller than the value of on x, and for all arguments that are greater than x, 
these two functions agree. Hence, correctness of It^ follows from Lemmas 14. 4( 14.21 and part 
(c) on /c — 1. 

(c) Follows from (a) and (b) by propositional reasoning. □ 
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Lemma 4.6. For all k > and i € {0, . . . , Fk{p{n)) — 1} we have: 

a) |mc*^] = ||i + 1 mod Ffc(p(n))p, 

b) |deci 11^11*^ = mod Ffc(p(n))p. 

Proof. Again, we will only prove part (a) since part (b) is entirely analogous. Let i € 
{0, . . . ,Fk{p{n)) — 1}, and i' := i + 1 mod Fk{p{n)). Remember that according to the 
previous section, is the lexicographically next function after Hence, it is the 

function that takes an argument x and returns x if there is a smaller argument y s.t. 
y is not the maximal value. If there is no such smaller y then it returns the value of 
on X increased by one. This makes use of the fact that inc^ increases modulo i<o(p(n)). 
Hence, on all lower-valued arguments the function values are reset to ||0||'' again. Therefore, 
correctness follows from Lemmas 14. H 14.41 14. 2|, and 14. 5i □ 

This provides all the necessary tools to model the behaviour of the space-bounded 
alternating Turing Machine A4. In particular, inc'^ and dec^ can be used to model the 
movements of the tape head on a tape of size Fk{p{ri)). 

Remember that a configuration of ^A in the computation on w is a triple (g, /i, t) where 
g G Q, /i G {0, . . .,Fk{p{n)) - 1}, and t : {0, . . .,Fk{p{n)) - 1} ^ T. We will use the HFL 
type Tfc to model head positions /i, and the type r^+i to model tape contents t. The state 
component of a configuration will be encoded in the formula. The two alphabet symbols tt 
and ff will be interpreted by the whole, resp. empty set of states, i.e. like the propositions 
tt and ff . 

First of all we need to define formulas that encode the starting configuration. Formula 
head^ encodes position on a tape of length Fk{p{n)). This is simply head^ := min^ . 

Remark 4.7. ord{headQ) = k, mar{headQ) = 1 if > 1 and otherwise. 

In order to encode the tape content of the starting configuration we need yet another 
auxiliary macro. Let m G N and j'l, . . . ,jm be HFL formulas of type r^, and ip,ipi, . . . , Vm 
be HFL formulas of type tq. We write 

case^ ji : tpi, - ■ ■ ,jm ■ ipm else -0 

to abbreviate 

(m m 
( V (^^'^ ^ ^h) A V^ft) V (V^ A /\ ^{eq'' I h) V ^il^h] 
h=l h=l 

Lemma 145) immediately gives us the following. Given formulas ji, . . . ,jm of type Tk that 
represent pairwise different numbers from {0, . . . , Fk{p{n)) — 1}, and formulas V'l; • • • ,tpm, 
as well as a number i G {0, . . . , Fk{p{n)) — 1}, we have 



|(case ji : ipi,. .. ,jrn ■■ 1pm else 



o.w. 



In order to define the tape content of the starting configuration of length Fk{p{n)) let 
w = aQ . . . fln-i with ttj G {tt, ff }. We will use the case-construct to define the initial tape 
content by case distinction. In order to do so, we need to explicitly address the first n tape 
cells via a formula s.t. = for all i, k. This can be done recursively using the 
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bit j , the j-th. bit of i is set 



auxiliary formulas biti from above. 

p(n)-l 
:= W <( "'"^ 

* j_Q , the j-th bit of i is unset 

Note that here we need to represent a number in the range of 0, . . . , -Fo(p(n)) — 1 by the 
union over all its bit values, hence a disjunction rather than a conjunction which might 
seem more intuitive. 

For k > also recall that we have assumed p{n) > n for all n G N, in particular 
n < 2P("). This ensures an easy encoding of the small numbers 0, . . . , n — 1 as functions of 
type Tfc_|_i. Function for i G {0, . . . , n — 1}, maps ||0p~^ to and all other arguments 
to ||0||° - cf. Fig. El Hence, for k > 0, let 

Xi ■= case mm : Xi else mm 

This allows us to represent the starting configuration of on u; as a simple case distinction. 

tapel := case'' Xo : «0, • • • , Xn-i ■ On-i else ff 

Here we utilise the fact that we encode the alphabet symbols tt and ff using the propositions 
tt and ff and the blank tape by a sequence of the symbol ff . 

Remark 4.8. ord{tapeQ) = k + 1, mar{tapeQ) = 2. 

Next we need formulas that encode the manipulation of configurations. In particular, 
we will have to model the head movement, and define formulas for reading and updating 
the symbol at a certain tape position. Remember that in an Ffc(p(n))-space bounded con- 
figuration, the head position can be encoded using type r^, and the tape content can be 
encoded using type Tk —>■ Pr = Tk+i- We need to define the following functions for any 
a G r. 

• read^ : r^+i ^ ^ Pr 

Applied to an encoded tape content and head position it tests whether or not the 
symbol under the head on that tape is a. It is also a 2-valued predicate. Remember 
that there only are the two symbols tt and ff with corresponding encoding. 

read^ := XT.XH.{T H) 

read% := XT.XH.^{T H) 

• writel : t^+i ^ ^ r^+i 

Given an encoded tape content t and a head position h it returns the tape content 
that contains a at position h and complies with t on all other positions. 

write^ := XT. XH.XH'. if {eq^ H H') then a else (T H') 

Remark 4.9. ord{read^) = k + 2, ord{write^) = k + 2, mar{read^) = 2, mar{write^) = 3. 

In the following we write \\t\\^ for the encoding of the tape t of length Fj^{p{n)) as a 
function of type — > Pr. Equally, the head position /i in a configuration is encoded by 
\h\^ . We also write t[h := a] for the update of t with a at position h. The next two lemmas 
show that the above functions are correct. Their proofs are straight-forward. The latter 
relies on the correctness of the if -then-else-construct. 
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Lemma 4.10. For all G N, all x ^ T, all tape contents t, and all head positions h we 
have 

IT ,1-11 I, uk ... ,,h I 5, if the symbol in t at position h is x 

Iread^jWtfWhf = <^ ' ' 

Lemma 4.11. For all k £N, all x & T, all tape contents t,t', and all positions h we have: 
{write^J \\t\\'' \\hf = \\t'f iff t' = t[h := x]. 

The movement of the tape head is easily modeled using three functions mowe^ '■ Tk ^ 
for {-1,0,+1}. 

move'ti ■= dec'' , move^ := XH.H , move'^^ := inc'^ 

Finally, we use the characterisation of acceptance in an alternating Turing Machine as a 
reachability game to construct the formula ^. Let Q = {qo, ■ ■ ■ ,qm, Qacc, Qrej}- We will 

simultaneously define for each state g G Q an eponymous function q : Tk+i Tk Pr that 
- given a tape content t and a head position h - signals as a 2-valued predicate whether or 
not M. accepts starting in the configuration {q, h,t). Let, for all q & Q, 

I go ■ XT.XH.^o \ 



qm . XT.XH.^m 
qacc ■ XT.XH.tt 
\ qrej ■ XT.XH.ff 



where for all i = 0, . . . , m: 

^ . := y (read^^ T H) A < 



V q' {writel T H) {move'^ H) , if g G Qa 

(<?',6,(i)G5(gi,a) 

A q' {writel T H) {move'l H) , if g G Qv 



Then define := ^'^ tapeg head^. 

The following result about the order-restricted fragment into which ^ falls is easily 
obtained by collecting all the preceding remarks about the orders and maximal aritics of 
all its subformulas. Note that those of highest type-order are read'^, write'^, and q for each 
q Q. All of them have order k + 2. 

Lemma 4.12. For all k G N; „, G HFL'^'+^-S. 

Theorem 4.13. For all k > 1, all w & F* and all Fk(j){n))- space bounded alternating 
Turing Machines A4 we have: 



M,wli 



S, ifweL{M) 



o.w. 



Proof. Let M. = {Q ,T,,T , qo, 5, qacc, qrej)- Suppose w G L{M.). Then there is an accepting 
run of M on w. Remember that M is alternating. Hence, this run can be represented as a 
tree T with starting configuration (go, 0, wif . . . ff ) as the root, s.t. 

• every existential configuration has exactly one successor in the tree, 

• for every universal configuration the set of its successors in the tree forms the set of 
all its successor configurations. 
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• all leaves are accepting configurations. 
We now show wf^^'"" = by induction on the height h{T) of T. Since ^ is 
a simultaneously defined fixpoint function applied to two arguments we need a stronger 
inductive hypothesis. We will show that for all g G Q and all t : Tk ^ Pr, all h : encoding 
a tape content and a head position: 1^*^ ^| \\t\\^ \\h\\'' = S ii M. accepts starting in the 
configuration given by {q,h,t). 

The base case is h{T) = 1 which means that the root is an accepting configuration. 
Hence, q = qacc, and the claim is easily seen to be true by two applications of /3-reduction. 

If h{T) > 1 then we need to distinguish two cases. First, assume that q G Q3. Then 
there is exactly one successor configuration {q',t',h') in T which results from (q,t,h) by 
one Turing Machine step according to 6. Clearly, A4 accepts starting in {q',t',h') and, by 
hypothesis, we have |^'^ g/] i^'i'^ = <S- One unfolding of the fixpoint formula together 
with Lemmas KT[ OH4. 1 11 show that we also have 1*1'' 1^1^ = 

The case of g G Qy is similar. Here, there are possibly several accepting subtrees of T. 
But the hypothesis applies to all of them and intersection over S several times is still S. 

This shows completeness. Soundness can be proved along the same lines because of 
determinacy. Note that w ^ L{A4) then this is witnessed by a computation tree in which 
every universal configuration has only one successor, every existential one retains all of its 
successors, and all leaves are rejecting. □ 

4.3. Low^er Bounds on the Model Checking Complexity. 

Theorem 4.14. For all k > 2 and all m > 3 the model checking problem for HFL^'™ is 
kExpTlME-hard when \V\ > 0, \A\ > 2. 

Proof. Let k > 2. According to Thm. 12.121 there is a (/c — l)AExpSpace machine Ai s.t. 
L{A4) is /cExpTiME-hard [4]. Using padding we can assume the space required by A4 on 
an input word of length n to be bounded by i*fc_2(p(n)) for some polynomial p{n) > n. 
Thm. [4T3l yields a reduction from G F* to labeled transition systems Tv(,«, and a formula 
$^2^ s.t. w G L{M) iff Xm,^, s 1= fo'^ any state s. 

According to Lemma 14.121 we have ^'^'^ G HFL'^'^. Furthermore, |Ta4,w| is clearly 
polynomial in n. The size of is also polynomial in n, but this formula is only an 

abbreviation using the simultaneous fixpoint definition in <I>^ and we need to consider 
the Fisher-Ladner closure of its unabbreviated counterpart. But remember the definition 
of 'I'^^ as ^'j^ tape^ head^. Unfolding only affects the subformula whose size is 

independent of n. Hence, |^*^^| is also polynomial in n. □ 

For the fragment HFL^ a similar result follows from the known ExpTlME lower bound 
for FLC ^ and the embedding of FLC into HFL^-^ [28]. 

Proposition 4.15 ([l8l[28]). There is an HFL^'^ formula over a singleton V and an A of 
size 2 whose set of models is ExpTiME-Ziard. 

The condition \A\ > 2 results from the fact that the reduction to FLC model checking 
is from the pushdown game problem. The number of different modal accessibility relations 
is p + 1 where p is the size of the alphabet in the pushdown games. A close inspection of 
the ExpTime lower bound proof for this problem ^29j shows that p = 1 \s sufficient. 
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It has already been observed that model checking HFL on fixed and very small transition 
systems is non-elementary |19J. We repeat this observation here since it follows from the 
construction above in a very neat way. Remember that log* n = i iS the i-fold iteration of 
the function Am. [log m] starting in n yields 1. 

Theorem 4.16. The model checking problem for HFL on the fixed transition system of size 
1, no transitions and no labels is non- elementary when maximal type arities are at least 2. 

Proof. Note that Thm. 14.131 uses p{n) many states to encode F]^{p{n)) many numbers for 
any k > I. But Fk{p{n)) = 2P(">^fe-i(P(")), thus Fk+i{\ogp{n)) > Fk{p{n)). This means 
that the reduction in Thm. W7l3\ also works with logp(n) many states, but yields a formula 
in HFL'^"''^ rather than HFL'^. Iterating this shows that one state suffices for the reduction, 
but the result is only in HFL^+i°g* . 

Finally, note that by the construction above, this single state does not have any lower- 
transitions. The transition ^^^^ > is redundant because we have \= [test]'ip iff |= -0 for 
any formula ip. □ 

There is an apparent intuitive mismatch between this and Cor. 13.181 which both make 
a statement about the expression complexity of HFL on the smallest possible transition 
system. For every fixed k, m, this is in ExpTime. However, when k is unbounded it 
becomes non-elementary. Even though this gap is huge in terms of complexity classes it 
is just tiny in terms of the HFL types that are necessary to achieve a non-elementary 
complexity: the type levels only have to be increased by log*p(n). Note that log* m < 6 
for any natural number m that is representable using electron spins as bits when the entire 
observable universe was densely packed with electrons. The cause for the apparent intuitive 
mismatch is simply an underestimation of the exponential time hierarchy. Equally, a tower 
of height 6 is sufficient to exceed the numbers representable using the electron spins in this 
way. 

The above two theorems raise the question after a lower bound for the data complexity 
of HFL. In the following we will modify the reduction to yield a formula <I>^ that only 
depends on the alternating Turing Machine A4 rather than both the machine and the input 
word. Remember that, according to Thm. 12.121 there is ~ for any k > 1 - such a machine 
with a word problem that is feExpTiME-hard. 

The idea for the modification is simple. It is only the subformula tapcQ that depends 
on the input word. First, let 

t(^Pe empty ■= AX.ff 

model the tape that contains the blank symbol □ only. 

Note that Tj^^yj has p{n) > n many states. Hence, we can use these states together 
with a single proposition q to model the input word w = oq, . . . , a„_i G {tt, ff }*. 




if i < n and Oj = tt 
o.w. 



Let ^ be the result of this. Note that it differs from Tj^^yj only through the additional 
labels on the states. An example with p{n) = 4 and = tt tt ff tt is shown in Fig. [5j For 
better readability we depict the relation only schematically. 

All we need now is a formula that traverses through these states and uses the information 
obtained from each label to generate the original encoding tape^ of the real input tape. This 
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lower 




® 






test 


Figure 5: The transition system ^ for p{n) 


= 4 and li; = tt tt ff tt. 



is done by the function build'^ : Tk+i ^Tfe^Pr^Pr^ Tfe+i, defined as 
build'' := fiZ.XT.XH.XC.XY. 

if [fest](x ^ b'itp{n)) then T 
else if \test\{C q) 

then Z {write^ T H) {inc''-^ H) {{lower)C A [lower]Y) (C V Y) 
else Z {write% T H) {inc''-^ H) {{lower)C A [lower]Y) (C V Y) 

The parameters T and H contain the current tape content and the position at which the 
next symbol is going to be written. From this perspective it is not surprising that write'' 
and inc'' are apphed to them before a recursive call of Z. The parameters C and Y are 
used to identify the next state in T^^^ which is checked for the label q. Remember the 
recursive definition of the formulas hiti which is exactly what is reproduced here. Note that 
ord{build'') = k + 2 and mar{build'') = 5. Finally, let 

t^P^ built '■— build'' tape'l^piy min'' bit^ ff 

Lemiiiti 4. IT. Fov all '^j^^ which, in addtiofi to 'Tj\/i^w 

carry the input word w through 

labels as defined above we have {tape'^^-i^J^-^-^ = [topeQ]"^-™. 

Proof. Assume that encodes a tape content t and a head position on this tape. 
Then we have for all i G {0, . . . ,p{n) — 1}: 

lbmld''j\\tf\\hflbitiUy]=o^'^jl = 

ftp , if i = p{n) 

Ibuild"} \\t[h := a]f \\h + Ibiti+ij [Vi=o bitjj , if i < p{n) 

where a = tt if L{i) = q and a = ff if L{i) = 0. Thus, when applied to the initial values 
encoding the blank tape, leftmost head position, the state representing bit and the empty 
disjunction, this least fixpoint recursion eventually yields the tape onto which the word w 
at hand is written. This makes use of the fact that p{n) > n, i.e. the fixpoint recursion 
takes at least one more step after reading the entire input word before it terminates. □ 

Theorem 4.18. For all k > 2 and all m > 5 there is an HFL*^'"* formula over a singleton 
V and an A of size 2 whose set of models is kExpTlME-hard. 
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complexity 


combined 


data 


expression 


HFL 


G 


DTime(2^l^l ) 


fcExpTiME 


DTime(2lfl ) 


hard 


Elementary 


Elementary 


HFL° 




UPnco-UP 


P 


UPnco-UP 


hard 


p 


p 




G 


ExpTime 


ExpTime 


ExpTime 


hard 


(when p > 3) 


(when p > 3) 


P 


HFL'^'™, k>2 


G 


A;ExpTime 


fcEXPTlME 


ExpTime 


hard 


(when m > 3, p > 2) 


(when m > 5, p > 3 
or m > 4, p > 4) 


P 



Figure 6: A summary of the model checking complexity results. 

Proof. Let <1>^ := ^'^P^buiit head^. Clearly, only depends on A4 and not on its 

input word w. Furthermore, we have $^ G HFL^"'"'^'^. The hardness result then follows 
from Lemma 14.171 and Thm. 14. 131 along the same lines as the proof of Thm. 14.141 □ 

It is possible to reduce the maximal arity to 4 at the cost of an extra accessibility 
relation in the model. If there are transitions i JEI^HL^ j iff j = i — 1 then the formulas biti 
can be defined more simply as bito ■= [pred]ff and biti^i := {pred)biti, and the parameter 
Y in build^ is unnecessary. 

5. Conclusions 

The table in Fig. [6] shows the complexity of the model checking problem for HFL. We 
distinguish the combined complexity (both transition system and formulas as input), the 
expression complexity (model checking on a fixed transition system), and the data complexity 
(model checking with a fixed formula). Note that lower bounds from either expression or 
data complexity trivially transfer to the combined complexity while upper bounds for that 
trivially transfer back to both of them. In any case, n denotes the size of the transition 
system, ip is the input formula, k the maximal type order and m the maximal type arity 
of one of its subformulas, and p := \V\ + \A\ is the number of underlying propositions and 
modal acessibility relations. Note that there are standard translations for modal logics that 
reduce one at the cost of increasing the other whilst preserving satisfiability. These could 
be incorporated directly into the reduction for the lower bound. 

The entries stretching over two columns denote completeness results for the correspond- 
ing complexity class. The restrictions of the form m > 2 etc. of course only apply to the 
respective lower bound. 
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The estimation on the time complexity of model checking general HFL uses the fact 
that the maximal type order as well as the maximal type arity of a subformula of 99 are 
both bounded by \ip\. 

Recall that Elementary does not have complete problems under polynomial time 
reductions. The upper bounds on the expression and combined complexity for general HFL 
model checking are therefore as close as possible to the corresponding lower bound. 

The gaps between P and UPRco-UP simply restate open questions about the exact 
model checking complexity of the modal /i-calculus. The best upper bound known there 
in terms of complexity classes is UPflco-UP so far [Ijj. The polynomial time lower bound 
for its expression complexity is taken from an unpublished manuscript [6j. Despite a lot of 
effort this gap remains open up to date. 

The only question about the complexity of model checking HFL that is left unanswered 
but might be feasible is the gap in the expression complexity of HFL'^''" for any fixed 
k,m> 1. It remains to be seen whether there are fixed transition systems T/^^rm s.t. for all 
k, m, the set of HFL'^''" formulas that are satisfied by Tfc^m is ExpTiME-hard. 

Finally, the A:ExpTiME-completeness of HFL'^'^'s data complexity immediately implies 
a hierarchy result regarding expressive power. 

Corollary 5.1. For all k e N we have: RFL'' < HFL'=+^ 

Proof. For A; = this is known already because of HFL° = FLC < HFL^'^ [22l [28]. 

Now take any A; > 1. According to Thm. 14.141 there is a formula ip G HFL^"*"^'^ whose set 
of models is {k + l)ExpTiME-hard. Now suppose that there is also a ip ^ HFL'^'"^ for some 
m > 1 s.t. ip = if. Note that if is fixed, and so is ^. According to Thm. 13.171 this same set 
of models would also be included in fcExpTiME which contradicts the complexity-theoretic 
time-hierarchy theorem of /cExpTiME C (A; + 1)ExpTime. □ 
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